b'      Department of Homeland Security\n\n\n\n\n\n        Department of Homeland Security\xe2\x80\x99s FY 2012 \n\n         Compliance with the Improper Payments \n\n           Elimination and Recovery Act of 2010 \n\n\n\n\n\nOIG-13-47                                       March 2013\n\n\x0c                         OFFICE OF INSPECTOR GENERAL\n                             Department of Homeland Security\n                              Washington, DC 20528 / www.oig.dhs.gov\n\n                                      MAR 12 2013\n\nMEMORANDUM FOR:              Stacy Marcott\n                             Deputy Chief Financial Officer\n                             Office of Chief Financial Officer\n\nFROM:                        Anne L. Richards\n                             Assistant Inspector General for Audits\n\nSUBJECT:                     DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012fCompliancef\n                             withfthefImproper Payments Elimination and Recovery Act\n                             of 2010\nff\nAttached for your action is our final report, DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012f\nCompliancefwithfthefImproper Payments Elimination and Recovery Act of 2010.ffWe\nincorporated the formal comments from the Departmental GAO-OIG Liaison Office in\nthe final report.\n\nThe report contains eight recommendations aimed at improving the overall effectiveness\nof the improper payment reduction program. The Departmental GAO-OIG Liaison Office\nconcurred with all the recommendations. Based on information provided in the\nDepartment\xe2\x80\x99s response to the draft report, we consider all recommendations resolved.\nOnce your office has fully implemented the recommendations, please submit a formal\ncloseout letter to us within 30 days so that we may close the recommendations. The\nmemorandum should be accompanied by evidence of completion of agreed-upon\ncorrective actions and of the disposition of any monetary amounts.\n\nConsistent with our responsibility under the InspectorfGeneralfAct, we are providing\ncopies of our report to appropriate congressional committees with oversight and\nappropriation responsibility over the Department of Homeland Security. We will post\nthe report on our website for public dissemination.\n\nPlease call me with any questions, or your staff may contact Mark Bell, Deputy Assistant\nInspector General for Audits, at (202) 254-4100.\n\nAttachment\n\x0c                                         OFFICE OF INSPECTOR GENERAL\n                                              Department of Homeland Security\n\n\n   Table of Contents\n   Executive Summary ............................................................................................................ 1\n\n\n   Background ........................................................................................................................ 2\n\n\n   Results of Audit .................................................................................................................. 6\n\n\n              DHS\xe2\x80\x99 Compliance with IPERA .................................................................................. 6\n\n              DHS\xe2\x80\x99 Controls over Improper Payment Testing and Reporting ............................. 6\n\n              Recommendations ............................................................................................... 11 \n\n              Management Comments and OIG Analysis ......................................................... 12 \n\n\n   Appendixes\n              Appendix A:          Objectives, Scope, and Methodology............................................ 15 \n\n              Appendix B:          Management Comments to the Draft Report ............................... 17 \n\n              Appendix C:          Major Contributors to This Report ................................................ 22 \n\n              Appendix D:          Report Distribution ........................................................................ 23 \n\n\n   Abbreviations\n              AFR                   Annual Financial Report\n              CBP                   U.S. Customs and Border Protection\n              CFO                   Chief Financial Officer\n              DHS                   Department of Homeland Security\n              ePMO                  electronic Program Management Office\n              FEMA                  Federal Emergency Management Agency\n              FY                    fiscal year\n              ICE                   U.S. Immigration and Customs Enforcement\n              IPERA                 ImproperfPaymentsfandfEliminationfRecoveryfActfoff2010f\n              IPIAf                 ImproperfPaymentsfInformationfActfoff2002\n              NPPD                  National Protection and Programs Directorate\n              OIG                   Office of Inspector General\n              OMB                   Office of Management and Budget\n              PAR                   Performance and Accountability Report\n              RM&A                  Risk Management and Assurance\n              TSA                   Transportation Security Administration\n              USCG                  United States Coast Guard\n\n\nwww.oig.dhs.gov                                                                                                                 OIG-13-47 \n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n   Executive Summary\n   In fiscal year 2010, the Federal Government\xe2\x80\x99s total improper payment amount was at a\n   high of $121 billion. In that same year, Congress passed the ImproperfPaymentsf\n   EliminationfandfRecoveryfActfoff2010 in an effort to reduce improper payments. Since\n   fiscal year 2010, the Federal Government\xe2\x80\x99s total improper payment rate has declined to\n   $115 and $108 billion for fiscal years 2011 and 2012, respectively. In addition to\n   reducing improper payments, the Act requires each agency\xe2\x80\x99s Inspector General to\n   annually determine if the agency is in compliance with the Act.\n\n   Our audit objective was to determine whether the Department of Homeland Security\n   (DHS) complied with the Act. In addition, we also evaluated the accuracy and\n   completeness of DHS\xe2\x80\x99 improper payment reporting and its efforts to reduce and recover\n   improper payments for fiscal year 2012.\n\n   We contracted with the independent public account firm, KPMG LLP, to determine\n   whether DHS complied with the Act. KPMG LLP did not find any instances of\n   noncompliance with the Act.\n\n   We reviewed the accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting and\n   its efforts to reduce and recover improper payments. DHS needs to improve internal\n   controls to ensure the accuracy and completeness of improper payment reporting.\n   Specifically, it needs to improve its review processes to ensure that the risk assessments\n   properly support the components\xe2\x80\x99 determination of programs susceptible to significant\n   improper payments. Furthermore, DHS needs to adequately segregate duties and\n   improve its policies and procedures to identify, reduce, and report improper payments.\n\n   We made eight recommendations that if implemented would improve the accuracy and\n   completeness of DHS\xe2\x80\x99 improper payment reporting and improve its efforts to recover\n   any overpayments. The Department concurred with all of the recommendations.\n\n\n\n\nwww.oig.dhs.gov                                1                                        OIG-13-47\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n   Background\n   DHS\xe2\x80\x99 mission is to counter terrorism and enhance U.S. security; secure and manage U.S.\n   borders; enforce and administer U.S. immigration laws; protect cyber networks and\n   critical infrastructure; and ensure resilience from disasters. In fiscal years (FY) 2011 and\n   2012, DHS paid $63.6 billion and $68.1 billion, respectively, in support of its mission.\n   DHS identified 12 programs as high risk for improper payments based on FY 2012 risk\n   assessments and FY 2011 payment sample testing. Out of the $11.2 billion payments\n   for these high-risk programs, DHS estimates it made a total of $203 million in improper\n   payments, a 1.82 percent error rate.\n\n   On July 22, 2010, the President signed Public Law 111-204, ImproperfPaymentsf\n   EliminationfandfRecoveryfActfoff2010 (IPERA). The term improper payment\xe2\x80\x94\n\n       A.\t means any payment that DHS should not have made or that DHS made in an\n           incorrect amount under statutory, contractual, administrative, or other legally\n           applicable requirements; and\n       B.\t includes any payment to an ineligible recipient, any payment for an ineligible\n           service, any duplicate payment, payments for services not received, and any\n           payment that does not account for credit for applicable discounts.1\n\n   IPERA requires that the head of each agency periodically review all programs and\n   activities administered, and identify the programs and activities that may be susceptible\n   to significant improper payments. These reviews shall take into account risk factors\n   likely to contribute to the susceptibility of significant improper payments. IPERA\n   considers a program susceptible to improper payments if improper payments in the\n   program or activity in the preceding fiscal year exceeded $10 million and account for\n   2.5 percent of program outlays.\n\n   With respect to each program identified as susceptible to significant improper\n   payments, the head of the relevant agency shall produce a statistically valid estimate of\n   the improper payments made by each program and activity, and include those estimates\n   in the accompanying materials to the annual financial statements. For FY 2012, DHS\n   reported an improper payment estimate of $203 million from 12 programs across 4\n   components.\n\n\n   1\n    The Office of Management and Budget (OMB) Circular A-123, Appendix C, \xe2\x80\x9cRequirementsfforfEffectivef\n   MeasurementfandfRemediationfoffImproperfPayments,\xe2\x80\x9dfApril 14, 2011, also requires a payment to be\n   considered an improper payment when an agency\xe2\x80\x99s review is unable to discern whether a payment was\n   proper as a result of insufficient or lack of documentation.\n\n\nwww.oig.dhs.gov                                      2\t                                           OIG-13-47\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n           Table 1. DHS FY 2012 Estimated Improper Payment Amounts and Rates \n\n                    DHS Component                   Estimated   Improper   Improper\n                                                    Payment     Payments   Payment\n                                                   Population ($ millions) Rate (%)\n                                                   ($ millions)\n   U.S. Customs and Border Protection\n       Border Security Fencing                         $197         $0       0.03%\n       Refund and Drawback                            $1,343        $0       0.01%\n   Federal Emergency Management Agency\n       Disaster Relief Program \xe2\x80\x93 Individuals and       $880         $3       0.29%\n       Households Program\n       Disaster Relief Program \xe2\x80\x93 Vendor Payments       $494        $15       3.09%\n       Insurance \xe2\x80\x93 National Flood Insurance            $794         $6       0.75%\n       Program\n       Grants \xe2\x80\x93 Public Assistance Programs            $2,990        $9       0.31%\n       Grants \xe2\x80\x93 Homeland Security Grant Program       $1,472       $15       1.00%\n       Grants \xe2\x80\x93 Assistance to Firefighters Grants      $471         $8       1.60%\n       Grants \xe2\x80\x93 Transit Security Grants Program        $196         $3       1.77%\n       Grants \xe2\x80\x93 Emergency Food and Shelter             $45          $1       2.51%\n       Program\n   U.S. Immigration and Customs Enforcement\n       Enforcement and Removal Operations             $1,570      $133       8.47%\n   National Protection and Programs Directorate\n       Federal Protective Service                      $733        $10       1.37%\n   DHS-All Programs                                  $11,185      $203       1.82%\n   Source:f Data from DHS FY 2012 Annual Financial Report. DHS calculated its FY 2012 estimated improper\n   payment rates using FY 2011 payment data.\n\n   The Office of Management and Budget (OMB) issued Circular A-123, Appendix C,\n   \xe2\x80\x9cRequirementsfforfEffectivefMeasurementfandfRemediationfoffImproperfPayments,\xe2\x80\x9d\n   parts I and II, April 14, 2011, as guidance for agencies to implement the requirements of\n   IPERA. This guidance includes responsibilities for the DHS Inspector General to\n   determine DHS\xe2\x80\x99 compliance with IPERA. To determine compliance with IPERA, the DHS\n   Inspector General should review the agency\xe2\x80\x99s Performance and Accountability Report\n   (PAR) or Annual Financial Report (AFR) and any accompanying information to ensure\n   that DHS has met IPERA reporting requirements.\n\n   In addition, the DHS Inspector General should also evaluate the accuracy and\n   completeness of agency reporting, and evaluate agency performance in reducing and\n   recapturing improper payments.\n\n\n\nwww.oig.dhs.gov                                      3                                             OIG-13-47\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n\n   We reviewed the processes and procedures for DHS and the following DHS components:\n\n       \xe2\x80\xa2   United States Coast Guard (USCG);\n       \xe2\x80\xa2   U.S. Customs and Border Protection (CBP);\n       \xe2\x80\xa2   Federal Emergency Management Agency (FEMA);\n       \xe2\x80\xa2   U.S. Immigration and Customs Enforcement (ICE);\n       \xe2\x80\xa2   National Protection and Programs Directorate (NPPD); and\n       \xe2\x80\xa2   Transportation Security Administration (TSA).\n\n   On February 25, 2012, the DHS Risk Management and Assurance Division (RM&A\n   Division) issued version 2.0 of its ImproperfPaymentsfReductionfGuidebook (Guidebook).2\n   This Guidebook supports the Department\xe2\x80\x99s efforts to identify, reduce, report, and\n   recoup improper payments. It also provides DHS components with instructions for\n   complying with IPERA, Executive Order 13520, and OMB guidance for the\n   implementation of IPERA.\n\n\n\n\n   2\n    Previously known as DHS Office of Chief Financial Officer, Internal Control Program Management Office\n   or as DHS Office of Chief Financial Officer, Internal Control and Risk Management.\n\n\nwww.oig.dhs.gov                                       4                                             OIG-13-47\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n   The diagram below shows the process DHS components are required to follow to\n   identify, estimate, report, and recover improper payments.\n\n\n\n\n   Source: Information obtained from the DHS ImproperfPaymentsfReductionfGuidebook, Office of\n   Chief Financial Officer, Risk Management and Assurance Division Office.\n\n\n\n\nwww.oig.dhs.gov                                5                                        OIG-13-47\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n   Results of Audit\n   To comply with IPERA, an agency is required to conduct risk assessments and report and\n   publish the results of selected program testing in its AFR.3 It must also achieve and\n   report improper payment rates of less than 10 percent for each program. KPMG LLP\n   (KPMG) did not find any instances of noncompliance with IPERA.\n\n   Additionally, we reviewed the processes and procedures by which DHS estimates its\n   annual improper payment rates. Based on our review, we determined that DHS needs\n   to improve controls to ensure the accuracy and completeness of improper payment\n   reporting.\n\n           DHS\xe2\x80\x99 Compliance with IPERA\n\n           We contracted with KPMG to determine whether DHS complied with IPERA in\n           FY 2012. KPMG audited DHS to determine whether it met the following\n           requirements prescribed by IPERA:\n\n                  \xe2\x80\xa2\t Published an AFR and accompanying materials required by OMB on the\n                     agency website;\n                  \xe2\x80\xa2\t Conducted required program-specific risk assessments;\n                  \xe2\x80\xa2\t Published improper payment estimates for high-risk programs;\n                  \xe2\x80\xa2\t Published programmatic corrective action plans;\n                  \xe2\x80\xa2\t Published, and has met, annual reduction targets for programs at risk;\n                  \xe2\x80\xa2\t Achieved and reported a gross improper payment rate of less than\n                     10 percent for all programs tested; and\n                  \xe2\x80\xa2\t Reported on its efforts to recover improper payments.\n\n           KPMG did not find any instances of noncompliance with the IPERA.\n\n           DHS\xe2\x80\x99 Controls over Improper Payment Testing and Reporting\n\n           DHS needs to improve its controls over improper payment testing and reporting.\n           Specifically, it needs to improve its review processes to ensure that the risk\n           assessments properly support the components\xe2\x80\x99 determination of programs\n           susceptible to significant improper payments. Furthermore, DHS needs to\n           adequately segregate duties and improve its policies and procedures to identify,\n\n\n   3\n    The risk assessments are annual reviews of all DHS-administered programs to identify programs\n   susceptible to significant improper payments.\n\n\nwww.oig.dhs.gov                                      6\t                                             OIG-13-47\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL\n                                     Department of Homeland Security\n\n\n           reduce, and report improper payments. These conditions occurred because DHS\n           guidance was unclear and DHS RM&A Division\xe2\x80\x99s review was not comprehensive.\n\n           Components\xe2\x80\x99 Risk Assessments\n\n           Components did not properly support the conclusions made in the risk\n           assessments. Specifically, they did not perform interviews, properly support\n           their risk templates, or obtain proper approval of the risk assessments. The DHS\n           Guidebook requires the components to perform comprehensive risk\n           assessments to identify programs susceptible to significant improper payments.\n           To accomplish this task, DHS designed a detailed methodology that requires the\n           components to perform the following activities:\n\n                  1.\t Identify programs and determine population and scope of the \n\n                      component programs assessed. \n\n                  2.\t Conduct and document interviews.\n                  3.\t Populate a risk template.4\n                  4.\t Validate risk elements and weights for each component program \n\n                      evaluated. \n\n                  5.\t Identify programs at significant risk of improper payments.\n\n           CBP and USCG officials stated that they did not conduct and document risk\n           assessment interviews to gain a full understanding of the payment risks each\n           program faced. According to a CBP official, they did not perform any interviews\n           with the program offices to complete the risk assessments. USCG officials stated\n           that they primarily relied on previous years\xe2\x80\x99 risk assessments to complete the\n           FY 2012 risk assessments. FEMA performed interviews but did not interview\n           program managers or senior management as required by the DHS Guidebook.\n\n           CBP, TSA, and FEMA did not properly support the conclusions made in the risk\n           template. The DHS Guidebook requires the components to assign a weight (risk\n           weight) to reflect the level of importance and influence of established risk\n           conditions and a score (risk score) to the risk conditions to reflect the degree of\n           risk present. The risk weight and risk score explanations should be included in\n           the risk template and understandable to an outside reviewer.\n\n\n\n\n   4\n    The risk template is populated with quantitative values (program disbursements) and qualitative values\n   (degree of risk) to determine programs susceptible to improper payments.\n\n\nwww.oig.dhs.gov                                       7\t                                             OIG-13-47\n\n\x0c                                OFFICE OF INSPECTOR GENERAL\n                                    Department of Homeland Security\n\n\n           CBP, TSA, and FEMA risk weight explanations did not provide enough\n           information to be understandable to a DHS reviewer. Specifically:\n\n                  \xe2\x80\xa2\t CBP\xe2\x80\x99s risk template explained that it populated each risk condition based\n                     on the perceived risk it concluded corresponded to each applicable\n                     condition.\n                  \xe2\x80\xa2\t TSA explained that the USCG Finance Center processed TSA payments\n                     and contracts. TSA determined the weight of each risk condition based\n                     on prior issues found during external audits, internal reviews, and input\n                     from each program office.\n                  \xe2\x80\xa2\t FEMA, with the exception of grants, did not provide any explanation\n                     because it used the standard risk condition weights provided in the risk\n                     templates.\n\n           The explanations did not support why they gave certain weights for each risk\n           condition or why risk weight distributions varied by program. In addition, FEMA\n           and CBP changed the risk scores for some risk conditions but used the same\n           explanation as FY 2011 to support the new score.\n\n           The CBP Chief Financial Officer (CFO) or Deputy CFO did not review and sign off\n           on CBP\xe2\x80\x99s final risk assessment. According to the DHS Guidebook, risk assessments\n           that are reviewed and approved by the DHS RM&A Division will undergo a last\n           step before they are considered final: component CFO or Deputy CFO review\n           and sign-off. According to CBP officials, the highest level of review and approval\n           given to CBP\xe2\x80\x99s risk assessment was by the Director, Financial Management\n           Division, who is neither the CFO nor the Deputy CFO.\n\n           Independence\n\n           CBP did not have independent personnel developing and conducting the sample\n           test plans. The DHS Guidebook indicates that payment reviewers should not\n           have a role in processing or approving the specific payments under review. To\n           the extent possible, payment reviewers should not have explicit annual\n           performance goals related to reducing improper payments. OMB Circular A-123\n           provides that control activities include policies, procedures, and mechanisms in\n           place to ensure that agencies meet their objectives. This includes proper\n           segregation of duties designed to reduce improper payments, and test payment\n           files for improper payments. This segregation will promote independence and\n           reduce the risk of inaccurate or incomplete improper payment data.\n\n\n\n\nwww.oig.dhs.gov                                   8\t                                       OIG-13-47\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n           CBP has two high-risk programs that required sample testing, Border Security\n           Fencing and Refunds and Drawbacks.5 The Accounts Payable Directorate, who is\n           directly responsible for reducing improper payments, oversaw the sample\n           testing. The Accounts Payable Directorate designed the testing plan, distributed\n           the sample to the testing teams, and reviewed the testing teams\xe2\x80\x99 results prior to\n           submitting the information to the DHS RM&A Division. In addition, the testing\n           team for one of the high-risk programs was the original approving authority for\n           the disbursements under review. This is a repeat finding and recommendation\n           previously reported in FY 2011.6\n\n           DHS Guidebook\n\n           The DHS Guidebook provided components with background of applicable IPERA\n           guidance and instructions to help the Department meet IPERA requirements.\n           However, the components often needed to rely on additional instructions to\n           complete the Guidebook requirements because of the inconsistency of its\n           instructions. For example, the Guidebook devotes one section to discussing how\n           the components determine the risk elements for evaluating each program.\n           According to the Guidebook, the DHS RM&A Division provides components with\n           a risk template, which they need to support with specific risk documentation.\n           However, the DHS Guidebook does not explain what documentation the RM&A\n           Division expected from the components to support the risk template. From\n           other sections of the Guidebook, it can be inferred that because the risk\n           template should be based on existing documentation and management\n           knowledge, the results of program office and management interviews, the\n           results of audit findings and review findings, and from other improper payment\n           work, that this information should be properly documented as support for the\n           risk template. The Guidebook does not specifically state RM&A Division\xe2\x80\x99s\n           expectations of specific risk documentation for the risk template. The DHS OIG\n           also noted issues with the Guidebook during the FY 2011 DHS OIG IPERA audit.\n           The RM&A Division made some improvements to the Guidebook in October\n           2012, based on feedback from the components.\n\n           DHS RM&A Division\xe2\x80\x99s Reviews\n\n           DHS RM&A Division\xe2\x80\x99s reviews should have found that the components did not\n           properly support their risk assessments. The Division\xe2\x80\x99s responsibilities included\n\n   5\n    Reimbursement of duty paid for imported goods if exporting or returning goods to the supplier.\n   6\n    DHS OIG, \xe2\x80\x9cDepartment of Homeland Security\xe2\x80\x99s Compliance with the ImproperfPaymentsfEliminationfandf\n   RecoveryfActfoff2010,\xe2\x80\x9d OIG-12-48, March 2012.\n\n\nwww.oig.dhs.gov                                    9                                            OIG-13-47\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                 Department of Homeland Security\n\n\n           issuing the DHS Guidebook; reviewing and approving the components\xe2\x80\x99\n           comprehensive risk assessment and sample test plans; and performing an\n           independent review of the sample test results. It reviewed all of the\n           components\xe2\x80\x99 IPERA deliverables, which included risk assessments. The RM&A\n           Division\xe2\x80\x99s risk assessment review consisted of comparing the FY 2011 and\n           FY 2012 risk weight and risk score narratives to identify differences. If the\n           Division identified a difference between fiscal year information, it occasionally\n           requested additional clarification from the component to understand the\n           change. The Division review did not include obtaining and reviewing the\n           summary interviews to ensure that the components properly supported the risk\n           weights and risk scores. Reviewing the summaries would have also identified\n           that CBP and USCG did not perform the required interviews.\n\n           Because the DHS RM&A Division only analyzed the differences between FYs 2011\n           and 2012 risk weight and risk score narratives, it did not identify that the risk\n           weights and risk scores were not properly supported. It did identify some errors\n           during their review; however, it approved the risk assessment without requiring\n           the components to complete the corrections.\n\n           The DHS RM&A Division also did not always follow the instructions or guidance\n           that it issued. The Division\xe2\x80\x99s DHS Guidebook required the components to submit\n           a summary write-up of the interviews to the RM&A Division for review and the\n           component CFO or Deputy CFO to review and sign off on the risk assessments\n           before they were considered final. During the FY 2012 IPERA review, the RM&A\n           Division determined that it would not request the summary interviews and that\n           CFO approval was not a specific requirement of the DHS Guidebook. In addition,\n           the Division required the components to use DHS\xe2\x80\x99 electronic Program\n           Management Office (ePMO) as a method for DHS RM&A to store, share, review,\n           and approve IPERA documents online. However, the RM&A Division frequently\n           reviewed and approved IPERA deliverables using email instead of using ePMO.\n           For example, USCG received an email message from the RM&A Division\n           approving the test plan in May, but the ePMO did not document RM&A\n           Division\xe2\x80\x99s approval until September.\n\n\n\n\nwww.oig.dhs.gov                                10                                       OIG-13-47\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n           Recommendations\n\n           We recommend that the Chief Financial Officer, Department of Homeland\n           Security ensure that\xe2\x80\x94\n\n           Recommendation #1:\n\n           DHS Risk Management and Assurance Division obtains and reviews the\n           components\xe2\x80\x99 interviews to ensure that the risk weights and risk scores are\n           accurate and supported.\n\n           Recommendation #2:\n\n           DHS Risk Management and Assurance Division requires all components to\n           provide detailed explanations and references to supporting documentation as to\n           how they determined each risk weight and risk score.\n\n           Recommendation #3:\n\n           U.S. Customs and Border Protection and the United States Coast Guard perform\n           interviews as part of the risk assessment process.\n\n           Recommendation #4:\n\n           Federal Emergency Management Agency performs interviews of the program\n           managers or senior management.\n\n           Recommendation #5:\n\n           U.S. Customs and Border Protection\xe2\x80\x99s risk assessment is reviewed and approved\n           by the Chief Financial Officer.\n\n           We also recommend that the Chief Financial Officer, Department of Homeland\n           Security:\n\n           Recommendation #6:\n\n           Modify the DHS Guidebook to add clarification that explicitly describes how to\n           complete the components\xe2\x80\x99 risk assessments.\n\n\n\n\nwww.oig.dhs.gov                               11                                        OIG-13-47\n\n\x0c                               OFFICE OF INSPECTOR GENERAL\n                                   Department of Homeland Security\n\n\n           Recommendation #7:\n\n           Develop and implement procedures to ensure the approval of risk templates\n           only after the components have made all corrections.\n\n           Recommendation #8:\n\n           Develop standard operating procedures that clearly identify how the IPERA\n           reviews and approvals will be coordinated with the components.\n\n           Management Comments and OIG Analysis\n\n           A copy of DHS\xe2\x80\x99 response in its entirety is included as Appendix B. The\n           components also provided technical comments and suggested revisions to our\n           report in a separate document. We reviewed the technical comments and made\n           changes in the report when appropriate.\n\n           DHS acknowledged that it is still working to close the two remaining\n           recommendations from the FY 2011 audit. Those recommendations required\n           DHS to improve personnel independence in the testing phase and enhance the\n           Department\xe2\x80\x99s recovery auditing efforts.7 DHS plans to have FY 2011 corrective\n           actions completed by September 30, 2013. For the FY 2012 audit, DHS\n           concurred with all eight recommendations and has begun to formulate plans to\n           implement the recommendations contained in the report. A summary of the\n           responses and our analysis follows.\n\n           Management Response to Recommendation #1: DHS concurs. DHS has begun\n           action to address this recommendation. In February 2013, as part of its FY 2013\n           risk assessment reviews, the RM&A Division formally requested the interview\n           materials from all components. The RM&A Division will review the interview\n           material to ensure that risk weights and scores submitted by the components\n           are accurate and appropriately supported. DHS estimates that the RM&A\n           Division will have all reviews completed by March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the risk weights and risk scores with the supporting interviews.\n\n\n\n   7\n    DHS OIG, \xe2\x80\x9cDepartment of Homeland Security\xe2\x80\x99s Compliance with the ImproperfPaymentsfEliminationfandf\n   RecoveryfActfoff2010\xe2\x80\x9d OIG-12-48, March 2012.\n\n\nwww.oig.dhs.gov                                    12                                           OIG-13-47\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n           Management Response to Recommendation #2: DHS concurs. To address this\n           recommendation, the RM&A Division has begun to review the submissions and\n           coordinated with the components when necessary to ensure that submitted risk\n           weights and scores are accurate and adequately supported. DHS estimates that\n           the RM&A Division will have all reviews completed by March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the risk weights and risk scores with the supporting documentation.\n\n           Management Response to Recommendation #3: DHS concurs. DHS has already\n           taken action to address this recommendation. Specifically, CBP will keep\n           separate interview notes, which will be available to independent reviewers,\n           rather than directly integrating interview findings into the risk assessment, as\n           was done in FY 2012. USCG will conduct interviews, validate data, and update\n           the risk conditions. DHS estimates that the interviews will be completed by\n           March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the CBP and USCG interviews.\n\n           Management Response to Recommendation #4: DHS concurs. DHS estimates\n           that FEMA will perform interviews of program managers and/or senior\n           management by March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the FEMA interviews.\n\n           Management Response to Recommendation #5: DHS concurs. DHS estimates\n           that the CBP CFO will review and approve the FY 2013 risk assessment submission\n           by March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the CBP risk assessment.\n\n           Management Response to Recommendation #6: DHS concurs. DHS estimates\n           that by March 29, 2013, the RM&A Division will update the DHS Guidebook to\n           clarify what documentation is adequate and required to support the risk template.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the DHS Guidebook.\n\n\n\nwww.oig.dhs.gov                               13                                       OIG-13-47\n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                               Department of Homeland Security\n\n\n           Management Response to Recommendation #7: DHS concurs. DHS is taking\n           actions to address this recommendation. Specifically, the RM&A Division has\n           developed procedures to ensure that requested corrections and adjustments are\n           addressed before final approval and acceptance of risk assessments. DHS\n           estimates that the procedures will be implemented by March 29, 2013.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the procedures.\n\n           Management Response to Recommendation #8: DHS concurs. DHS estimates\n           that by March 29, 2013, the RM&A Division will have implemented additional\n           standard operating procedures for the review and final approval of risk\n           assessments.\n\n           OIG Analysis: The recommendation will remain open and resolved until we have\n           reviewed the procedures.\n\n\n\n\nwww.oig.dhs.gov                             14                                     OIG-13-47\n\n\x0c                            OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n   Appendix A\n   Objectives, Scope, and Methodology\n   The Department of Homeland Security (DHS) Office of Inspector General (OIG) was\n   established by the HomelandfSecurityfActfoff2002 (Public Law 107-296) by amendment\n   to the InspectorfGeneralfActfoff1978. This is one of a series of audit, inspection, and\n   special reports prepared as part of our oversight responsibilities to promote economy,\n   efficiency, and effectiveness within the Department.\n\n   The audit objective was to determine whether DHS complied with the Improperf\n   PaymentsfEliminationfandfRecoveryfActfoff2010. In addition, we also evaluated the\n   accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting and its efforts in\n   reducing and recovering improper payments for FY 2012.\n\n   The scope of the audit is DHS\xe2\x80\x99 FY 2012 efforts to comply with IPERA. We limited our\n   scope to certain DHS components. We reviewed all components identified in DHS\xe2\x80\x99 AFR\n   for FY 2011 as vulnerable to significant improper payments based on the FY 2011 risk\n   assessments and prior year payment sample testing. The components reviewed were\n   the United States Coast Guard, U.S. Customs and Border Protection, Federal Emergency\n   Management Agency, U.S. Immigration and Customs Enforcement, Transportation\n   Security Administration, and National Protection and Programs Directorate.\n\n   To understand DHS\xe2\x80\x99 requirements under IPERA and DHS\xe2\x80\x99 policies and procedures to\n   meet those requirements, we obtained and reviewed relevant authorities and guidance\n   including IPERA, OMB\xe2\x80\x99s memorandum on implementing IPERA, and the DHS Improperf\n   PaymentsfReductionfGuidebook. We also interviewed officials in DHS\xe2\x80\x99 Office of Chief\n   Financial Officer and the various components directly involved with IPERA\n   implementation.\n\n   We contracted with independent auditor KPMG LLP to determine DHS compliance with\n   IPERA. The contract required that KPMG perform its audit in accordance with generally\n   accepted government auditing standards. Those standards require that the auditors\n   plan and perform the audit to obtain sufficient, appropriate evidence to provide a\n   reasonable basis for their findings and conclusions based upon the audit objectives.\n\n   At each component, KPMG performed the following:\n\n       \xe2\x80\xa2   Obtained and read relevant authorities and guidance;\n       \xe2\x80\xa2   Interviewed component management;\n       \xe2\x80\xa2   Reviewed component policies;\n\n\nwww.oig.dhs.gov                               15                                       OIG-13-47\n\n\x0c                             OFFICE OF INSPECTOR GENERAL\n                                Department of Homeland Security\n\n\n       \xe2\x80\xa2\t Reviewed components\xe2\x80\x99 risk assessment processes;\n       \xe2\x80\xa2\t Reviewed components\xe2\x80\x99 sampling plans and methodologies; and\n       \xe2\x80\xa2\t Reviewed components\xe2\x80\x99 corrective action plans.\n\n   At DHS, KPMG reviewed DHS\xe2\x80\x99 FY 2012 AFR to determine compliance with reporting\n   requirements.\n\n   To evaluate the accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting, we\n   performed the following procedures:\n\n       \xe2\x80\xa2\t   Reviewed components\xe2\x80\x99 risk assessments;\n       \xe2\x80\xa2\t   Reconciled components\xe2\x80\x99 risk assessments with FY 2011 gross disbursement data;\n       \xe2\x80\xa2\t   Reviewed sample test plans and results; and\n       \xe2\x80\xa2\t   Reviewed DHS\xe2\x80\x99 internal controls over the processes and procedures used to\n            estimate the improper payment rate, including the risk assessment process,\n            testing, and reporting.\n\n   We did not conduct any sample payment testing to validate DHS\xe2\x80\x99 estimated improper\n   payment rates reported in the FY 2012 AFR.\n\n   To evaluate DHS\xe2\x80\x99 performance in reducing and recapturing improper payments, we\n   performed the following procedures:\n\n       \xe2\x80\xa2\t Reviewed DHS\xe2\x80\x99 corrective action plans; and\n       \xe2\x80\xa2\t Determined recovery audits performed.\n\n   We conducted this performance audit between August 2012 and January 2013 pursuant\n   to the InspectorfGeneralfActfoff1978, as amended, and according to generally accepted\n   government auditing standards. Those standards require that we plan and perform the\n   audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n   findings and conclusions based upon our audit objectives. We believe that the evidence\n   obtained provides a reasonable basis for our findings and conclusions based upon our\n   audit objectives.\n\n\n\n\nwww.oig.dhs.gov                              16                               \t     OIG-13-47\n\n\x0c                                           OFFICE OF INSPECTOR GENERAL\n                                                 Department of Homeland Security\n\n\n   Appendix B\n   Management Comments to the Draft Report\n                                                                                                       u.s. Dtpartnltn l of lI orndand   S\xc2\xaburity\n                                                                                                       Was blnjttOtl, DC lOS18\n\n\n\n\n                                                                                        (I\n                                                                                        ~"\n                                                                                           Homeland\n                                                                                           Security\n                                                                                            .. ,i<t\n\n                                                                   March 4, 2013\n\n\n                  MEMORANDUM FOR;                     Anne L. Richards\n                                                      Assistant Inspector General for Audit\n\n                  FROM;                               Jim H. Crumpacker        \\~fI           .   ~\n                                                      Director                ~\\1\'\n                                                      Departmental GAO-OIG Liaison Office\n\n                  SUBJECT:                            Department of Homeland Security\'s FY 2012 Compl iance with the\n                                                      Improper Payments Elimination and Recovery Act of2010\n                                                      (Project No. 12-002-AUD-MGMT)\n\n                  Thank you for the opportunity to review nnd comment on thi s draft report. We appreciate the\n                  Office of Inspector General \'s (010\'5) work in conducting this statutorily required annual review\n                  and issuing thi s report.\n\n                  We are pleased to note that for the fourth year in a row, KPMG LLP, U,e Department\'s\n                  independent auditor, has not identified any instances of noncompliance with the Improper\n                  Payments Elimination and Recovery Act of2010 (lPERA), as amended. With respect to your\n                  Fiscal Year (FY) 2011 audit i recommendations, we aCknowledge closure offourofU,e six\n                  recommendations and advancement to closure on the remaining two.\n\n                  Specificall y, the fi rst open recommendation relates to improving personnel independence in the\n                  testing phase. We note the finding relnted to this recommendation has been partially addressed.\n                  Last year\'s report identified independence issues for Headquarters and two Components; this\n                  yea r\'s report identified only one Component. The second open recommendation relates to\n                  enhancing the Department\'s recovery auditing efforts, where cost effective. We have found that\n                  recovery auditing is not cost effective at the U.S. Secret Service because of securi ty restrictions\n                  that necessitate all recovery audit work be perfonnerl on-site, the rel atively small size of the U.S.\n                  Secret Service, and vendor feedback . We are working to improve our targeted rccovery audit\n                  efforts for the U.S. Coast Guard (USCG) and its eross~serviced Componen ts (Le., the\n                  Transportation Security Administration and the Domestic Nuclear Detection Office), and these\n                  efforts will be completed by September 30, 2013.\n\n                  The Department has enhanced its efforts to eliminate improper payments. For example, the\n                  Federal Emergency Management Agency (FEMA), working closely with the DHS Chief\n                  Financial Officer\'s Risk Management and Assurance Division (RM&A), continues to\n\n                  t Department 0/ HOIII l\'lmuf Secun"I)J\'S Compliance with the Impropl!r Parmems ElimintJIion lind Rl\'CO\\\'ery Act of\n                  lOIO(OIG\xc2\xb7 12-48. March 20 12).\n\n\n\n\nwww.oig.dhs.gov                                                          17                                                                        OIG-13-47\n\n\x0c                                      OFFICE OF INSPECTOR GENERAL\n                                           Department of Homeland Security\n\n\n\n\n                  consistently reduce the estimated error rate for FEMA \'s high-risk programs. Specifically, the\n                  overall error rate dropped from 8.0 percent reported in FY 2009 to 1.7 percent in FY 2010. The\n                  error rnte fell below the reduced agency target rate of 1.5 percent in FY 2011 and FY 2012,\n                  2 years in adva nce of the FY 2014 requirement. This improvement is a result of continuous\n                  focus and efforts by the RM&A and FEMA slaffs, who led and completed corrective action plans\n                  to eliminate improper payments. Other FEMA improvements include adding applicant eligibil ity\n                  edit checks, standardizing documentation requirements, and providing training on the root causes\n                  of errors and steps to address payment risks.\n\n                  The Department has also enhanced its efforts to eliminate improper payments above and beyond\n                  the statutory and regulatory requirements. In FY 2012, RM&A stafT completed independent\n                  reviews of Component payment sample test results. The resulting reports allowed us to confinn\n                  findings and provide Componen t-specific and general recommendations to further improve the\n                  accuracy and efficiency of payment testing. The Department has instituted severnl efforts to\n                  improve payment controls and processes, and implemented the statutorily required " Do Not Pay\n                  Portal" databases. This portal will allow DHS to leverage existing government databases to\n                  identify and prevent potential improper payments. In addition, we have organ ized a Payment\n                  Center Work Group, bringing together Department and Component experts in payment\n                  management and processing, internal controls, and procurement to identify sources and causes of\n                  improper payments and existing best practices, as well as to promote the implementation of those\n                  practices.\n\n                  Your FY 20 12 report contained eight recommendations with which the Department concurs.\n                  Several of the recommendations require similar actions to close. The attached chart summarizes\n                  the completed and planned actions we have identified to address each rccommendation. We\n                  request that al l the recommendat ions be considered resolved and open.\n\n                  SpecificalJy. 0 10 recommended that the Chief Financial Officer, Depanmcnt of Homeland\n                  Security ensure that the:\n\n                  Reco mmendation I: DHS Risk Management and Assurance Division obtains and reviews the\n                  components\' interviews to ensure the risk weights and risk scores are nceuratc and supported.\n                  Estimated Completion Date (ECD): March 29, 2013.\n\n                  Response: Concur. DH has already taken action to address this recommendation.\n                  Specifically. Components were provided notice of thi s requirement during an Oclober 17, 2012\n                  Workshop on the Departmcnt\'s FY 2013 update to the Improper Payments Reduction Guidebook\n                  (Guidebook). Subsequently, RM&A requcsted interview materials from all Components on\n                  February 4, 2013, as part of its FY 2013 risk assessment review. These materials are being\n                  examined by RM&A staff to ensure risk weights and scores submitted by Components arc\n                  accurate and appropriately supported.\n\n                  Reco mmendation 2: DHS Risk Management and Assurance Division requires all components\n                  to provide dctailed explanat ions and references to supporting documentation as to how they\n                  detcnnined each risk weight nnd risk scorc.\n\n\n\n\n                                                                 2\n\n\n\n\nwww.oig.dhs.gov                                                18                                                    OIG-13-47\n\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                             Department of Homeland Security\n\n\n\n\n                  Response: Concur. DHS has already taken action to address this recommendation.\n                  Specifically, the RM&A staff have reviewed the submissions and have extensively discussed\n                  with and made additional requests to Components where necessary to ensure submitted risk\n                  weights Dnd scores are accurate and adequately supponed. ECD: March 29, 20 13.\n\n                  Recommendation 3: U.S. Customs and Border Protection [CBP] and the           u.s. Coast Guard\n                  perfonn interviews as pan of the risk assessment process.\n\n                  Respo nse: Concur. DHS has already taken action to address this recommendation.\n                  S pecifically. the Internal Controls Branch within the CBP Offiee of the Chief Financial Officer\n                  (OCFO) wi ll keep separate intelVicw notes, which will be avai lable to independent reviewers,\n                  rather than directly integrating intclView findings into the risk assessment, as was done in FY\n                  2012. The USCG OCFO will conduct intcrviews, validate data, and update risk conditions.\n                  ECD: March 29, 2013.\n\n                  Recommelldnlion4: Federal Emergency Managemenl Agency [FEMA] perfonns intclVicws of\n                  the program managers or senior management.\n\n                  Response: Concur. The FEMA OCFO will perfonn intelViews of program managers and/or\n                  senior managemcnt. ECO: March 29, 2013.\n\n                  Recommendntion 5: U.S. Customs and Border Protection\'s risk assessment is reviewed and\n                  approved, at a minimum, by the Deputy Chief Financial Officer.\n\n                  Response: Concur. CBP\'s Ch ief Financial Officer will sign the risk assessment submission\n                  after RM&A\'s final review and approval. ECO: March 29, 2013.\n\n                  Recommendation 6: Modify the DHS Guidcbook 10 add clarification Ihal explicitly describes\n                  how to complete the components\' risk assessments.\n\n                  Res ponse: Concur. RM&A will update the Guidebook to ensure clarification of what\n                  documentation is adcqurltc and required to suppon the risk tcmplatc. ECO: March 29, 2013.\n\n                  Rcco mm cndalioll 7: Dcvelop and implcment procedures to ensure the approval of risk\n                  templates only after the components have made all corrections.\n\n                  Res ponse: Concur. OHS is taking action to address this recommendation. Speci fi cally, RM&A\n                  devclopl."<I proct."<iurcs in support of the Guidebook. These proccdurl.\'S will ensure that requested\n                  corrections and adjustmcnts are addressed before finalllpproval and acceptance of risk\n                  assessments. ECD: March 29, 2013.\n\n                  Rccomm endalioll 8: Develop standard operating procedures that clearly identify how the\n                  IPERA reviews and approvals will be coordinated with thc components.\n\n                  Response: Concur. RM&A will include additional standard operating procedures related to lhe\n                  coordination of review and final approval of risk assessments. ECO: March 29, 2013.\n\n\n\n                                                                    3\n\n\n\n\nwww.oig.dhs.gov                                                  19                                                       OIG-13-47\n\n\x0c                                       OFFICE OF INSPECTOR GENERAL\n                                            Department of Homeland Security\n\n\n\n\n                  Again, thank you for the opportunity to review and comment on this druft report. Technical\n                  com ments were previous ly subm itted under separate cover. Please feci free to contact me if you\n                  have any questions. We look forward to working with you in the future.\n\n                  Attachmcnt\n\n\n\n\n                                                                  4\n\n\n\n\nwww.oig.dhs.gov                                                 20                                                    OIG-13-47\n\n\x0c                  OFFICE OF INSPECTOR GENERAL\n                   Department of Homeland Security\n\n\n\n\nwww.oig.dhs.gov                21                    OIG-13-47\n\n\x0c                          OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n   Appendix C\n   Major Contributors to This Report\n   Sandra John, Director\n   Devon R. Houston, Audit Manager\n   Hope E. Franklin, Auditor\n   Kendra L. Loper, Auditor\n   Irene Aultman, Auditor\n   Natalie K. Fussell, Program Analyst\n   Roger W. Thoet, Auditor\n   John D. Kohler, Program Analyst\n   Jeff H. Mun, Auditor\n   Brian D. Smythe, Program Analyst\n   Heidi Y. Adams, Intern\n   Kevin Dolloson, Communications Analyst\n   Ralleisha Dean, Independent Referencer\n\n\n\n\nwww.oig.dhs.gov                             22                  OIG-13-47\n\n\x0c                           OFFICE OF INSPECTOR GENERAL\n                              Department of Homeland Security\n\n\n   Appendix D\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Component Liaison, U.S. Coast Guard\n   Component Liaison, Customs and Border Protection\n   Component Liaison, Federal Emergency Management Agency\n   Component Liaison, Immigration and Customs Enforcement\n   Component Liaison, National Protection and Programs Directorate\n   Component Liaison, Transportation Security Administration\n   Acting Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Committee on Homeland Security and Governmental Affairs of the Senate\n   Committee on Oversight and Governmental Reform of the House of Representatives\n\n\n\n\nwww.oig.dhs.gov                            23                                   OIG-13-47\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this document, please call us at (202) 254-4100, fax your\nrequest to (202) 254-4305, or e-mail your request to our Office of Inspector General\n(OIG) Office of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov.\n\nFor additional information, visit our website at: www.oig.dhs.gov, or follow us on Twitter\nat: @dhsoig.\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto: DHS Office of Inspector General, Attention: Office of Investigations Hotline, 245\nMurray Drive, SW, Building 410/Mail Stop 2600, Washington, DC, 20528; or you may\ncall 1 (800) 323-8603; or fax it directly to us at (202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'